December 16, 2013

Investigating Internal Network Attacks

Most network threat detection systems are positioned at the edge and lack visibility into internal traffic.  When these devices detect a potential insurgence that is reaching out to the Internet, administrators almost always find themselves investigating for internal network attacks. Why then do most threat detection systems focus on the Internet connections when we look for the infiltration internally?  The logic is based on the principle of single point of entry.  In other words, there is only one way out of the corporate network and the guiding principle is to watch the one-way-out closely.


Although this tactic arguably makes sense, it doesn’t address identifying internal malware efforts which attempt to infiltrate and setup camps by moving laterally within the organization. As stated above, most threat detection solutions (e.g. firewalls) don’t focus on who is hitting the important internal servers. But, there is a larger looming issue: how does malware get past the best perimeter defenses?  The answer: it walks right in.

BYOD Walks Infections Right In

Employees loaded with smart phones and tablets (aka BYOD)  sometimes become infected at home or in public hot spots.  When they bring these devices into work and connect to the corporate network, they “walk right in” past all the best electronic threat detection appliances.

In a Forester Research study titled: Understand the State of Data Security and Privacy, Forrester Analyst – Heidi Shey stated that “While a lot of security focus is on looking outwards and what’s coming in, there also needs to be some attention being paid to looking inwards and seeing what’s going on within the company and what’s going out.”

Detecting Internal Network Threats

To be effective at detecting internal network threats that are trying to spread, administrators need to do some internal network security homework which can include:

  1. Identify business applications and the servers that support them.  The servers could be internal or in the cloud.
  2. Understand application behaviors. What are the typical flow volumes, bytes received/transmitted for these apps and what subnets need access to it? A baseline is needed.
  3. Loaded with an understanding of the application behaviors, it’s then time to set thresholds for traffic that is outside of what is considered normal.

What’s interesting about the 3 items listed above is that they usually can’t be completely automated by appliances claiming to be plug and play. Being effective at uncovering internal network attacks means that security experts must get involved and configure the threat detection appliance in a way that best fits the organizations data security needs.

“Cyber security is an industry where automated threat detection solutions and good human intuition go hand and hand.  To survive or even thrive as an expert in this field often requires a healthy background on how various applications communicate within IP.  Malware developers often piggy back reconnaissance messages on port 80 and even 443.  For this reason, knowing what traffic is normal and what traffic is suspicious takes experience when monitoring HTTP and SSL connections.  The exfiltration of data likes to hide amongst legitimate traffic patterns.” Said Thomas Pore – Dir. of Field Engineering at Plixer.com.  “Security experts are learning to work with network security solutions that build threat indexes.  Knowing how to tweak the settings takes knowledge of how the internal applications normally communicate.  From there, they can figure out what would constitute unwanted behavior. “

Educating Employees on Internet Network Attacks

Although it’s seldom the practice, organizations could protect themselves more easily if they didn’t allow personal BYOD on the network.  If the device is company owned, ideally employees wouldn’t be allowed to install non work related apps.  In many companies however, these policies are not in place.  Even if BYOD was under tighter control, most companies still need to invest more into education.  “Only 42 percent of the North American and European small and midsize business workforce surveyed had received training on how to remain secure at work” said Heidi Shey.  Education is key when it comes to understanding how internal network security threats get in.  Employees need to be educated at least biannually on best BYOD security practices and the rules that are going to be enforced.

Uncovering internal network attacks requires a new approach to threat detection.  Admins at schools, government agencies and corporations alike have to do their homework and customize internal threat detection to meet the needs of the business.  “Cyber security is a great field for those who like a challenge.  Stopping malware is a game of using your head while keeping in mind the amount of money being spent to build up defensive measures.”   Thomas Pore

Setup an Incidence Response Team

Here is some good news: In a study done by Threat Track Security, malware analysts said their ability to defend against malware and other cyber treats has actually improved over the past year.

Internal Network Threats

One reason malware analysts might be better at stopping cyber-attacks is because they have the solutions necessary to become aware of incoming threats. Almost 84% of respondents believe they have the tools to properly defend their organization from an advanced malware attack. One such weapon that the malware analysts are using to their advantage is an Incident Response Team (IRT).  These IRTs need a way to follow up when investigating a problem and NetFlow collection and reporting are often the primary mechanism to peer into what exactly happened.

NetFlow and the IETF standard called IPFIX, are available on all router appliances and since they are widely deployed, visibility is easily attainable in every corner of the network.  Investing in a good flow analysis solution is a step in the right direction when investigating internal network attacks.

About The Contributor:
Mike PattersonCEO, Plixer

As one of the founders of the company, Michael has been involved in the development of Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics at Plixer. He enjoys writing and blogging about all things NetFlow, IPFIX and sFlow related.

See My Other Posts

One thought on “Investigating Internal Network Attacks

Leave a Reply

Your email address will not be published. Required fields are marked *